Providing mail relay services using SMTP

Configuring authentication through SASL

Before we can configure Postfix to allow relaying of mail for authenticated users we first have to configure the authentication mechanism we shall be using. The Postfix daemon does not perform any authentication itself instead it uses the Cyrus SASL (Simple Authentication and Security Layer) libraries provided by the dev-libs/cyrus-sasl package which was automatically installed as a dependency.

As usual the dev-libs/cyrus-sasl package installed an example configuration file in place of a usable one so our first task is to move the existing configuration file to another location, so that it is still available in the event we wish to examine it at a later date, and open a new blank configuration file which we can fill with our own settings. The commands below can be used to perform these tasks.

lisa mv /etc/sasl2/smtpd.conf /etc/sasl2/smtpd.conf.example
lisa nano -w /etc/sasl2/smtpd.conf

Once we have an empty configuration file open we can configure the connection between the Cyrus SASL library and the PostgreSQL database we are using to store our account details. As you can see from the configuration example below only three settings are required.

The first line in our configuration file specifies the method that the Cyrus SASL library should use to perform authentication. As you can see from the example we are using the authdaemond method. This method allows authentication to be performed by the authentication daemon we have already configured for use with Courier in the Providing access to stored mail using POP and IMAP section of this document.

The second line indicates which authentication methods the Postfix daemon will offer to clients. In our example we have specified the PLAIN and LOGIN methods. As both of these methods send the passwords over the network in clear-text it is important to follow the instructions in the Using SSL/TLS with Postfix SMTP and Courier POP3/IMAP section of this guide.

The third line beneath in our configuration file simply provides the path to the socket which should be used when communicating with the Courier authentication daemon.

pwcheck_method: authdaemond
mech_list: PLAIN LOGIN
authdaemond_path: /var/lib/courier/authdaemon/socket
The Postfix daemon uses the Cyrus SASL libraries to perform authentication. It does not use the Cyrus SASL saslauthd daemon so unless it is required by other services there is no need to start this process or add it to any run levels. It is also not possible to use the testsaslauthd application to test our configuration.

Configuring SASL authentication in Postfix

With the Cyrus SASL library configured to access authentication data from our database we are now ready to configure the Postfix daemon to use the Cyrus SASL library to perform authentication of our users. To do this we need to add the following block of configuration settings to the configuration file we have already created for the Postfix daemon.

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

The effect of the configuration settings in the above example are all fairly obvious. The first line enables SASL authentication. The second line disables anonymous login as an acceptable form of identification. The third line enables support for some email clients which have a broken SASL authentication process. The final line changes the default relay restrictions, which are usually just set to reject_unauth_destination, to allow SASL authenticated users to relay mail.

With those additions made to our configuration file we need to instruct the Postfix daemon to reload the configuration file so that these settings will be used. This can be performed using the command below.

lisa /etc/init.d/postfix restart

Testing authentication in Postfix

Although it would be nice to think that our configuration will work first time it is always prudent to conduct a test of our newly configured functionality to ensure that everything is working as expected. Before we can do this however we need to convert our email address and password into a base-64 encoded string so that we can use it later during our telnet session to the Postfix server. This can easily be performed using the command below remembering to replace the email address with whatever you have been using thus far.

lisa printf "\\0password" | base64

Now that we have our encoded email address and password combination we can test the authentication functionality using the telnet application as in previous examples. This time however we shall issue an EHLO greeting to indicate that we wish to use the extended functionality of the ESMTP protocol. The complete exchange is detailed below.

lisa ~ # telnet localhost 25
Connected to 
Escape character is '^]'. 
220 ESMTP Postfix 
250-SIZE 10240000 
250 DSN 
AUTH PLAIN AHNwYW1jYXRjaGVyQGhhY2tpbmcuY28udWsAcGFzc3dvcmQ 
235 2.0.0 Authentication successful 
221 2.0.0 Bye 
Connection closed by foreign host. 

Assuming all went well Postfix is now configured to allow authenticated users to relay mail messages through this server to any destination.